After a four month investigation by the Security Fix blog at washingtonpost.com, the firm allegedly responsible for hosting several organizations involved in illegal spamming and other suspicious activity was taken offline by its ISPs.  As soon as McColo Corp. was shut down on Tuesday afternoon, the total volume of spam on the internet fell by two-thirds.

It is unclear whether McColo Corp. will be held liable for any illegal activity.  At present, their website is not accessible. Typically hosts are not responsible for the activities that take place on their servers, except in the case of child pornography.  However, several security researchers claim that the firm is the host for many of the most prolific botnets online as well as more than 40 child-porn sites.  A similar drop in spam volume occurred back in September when Intercage was shut down, but was short-lived as the server found a new home within a week.  According to washingtonpost.com, security experts worry that shutting down the hosting service will cause the illegal activity to spread across multiple networks, thus making it harder to track and more difficult to mitigate.

Click the link below to read the full investigative report from Brian Krebs at washingtonpost.com:

Host of Internet Spam Groups is Cut Off

A photo of Biebrich Castle taken by LashBack CEO Brandon Phillips.

Last month, LashBack executives attended the eco/LAP 6th Annual German Anti-Spam Summit in Wiesbaden, Germany. At the three-day event held at Biebrich castle, we were able to meet and converse with members of law enforcement agencies representing 146 countries, as well as internet compliance and regulatory consultants like Hein Dries, who owns Vigilo Consult. Attendees and participants included the FTC, ENISA, Hessen-IT, OPTA, Spamhaus and officials from the UK, Germany, Australia, New Zealand and South Korea, among others.

The first day of the conference focused on spam’s latest trends and figures. Highlights included messaging security solutions provider Cloudmark’s presentation with eleven GmbH on the trends and figures of spam, ENISA’s comparison of the existing ISP’s code of conduct in the area of spam, and a presentation by Merijn Schik of the European Commission. The second day featured information on advance fee fraud, lottery spam and the regulatory and preventive actions of law enforcement. A presentation on international law enforcement cooperation included speakers from online divisons of The U.S. Department of Justice, The U.S. Postal Inspection Service, the Amsterdam Police, the Belgian Federal Computer Crime Unit, and OPTA.

LashBack executives learned the latest trends in email security and a new perspective on online crime from several international regulatory bodies. LashBack CEO Brandon Phillips stated, “In Weisbaden, we were able to gain new insights into how investigators go about prosecuting email-based crime in the real world. We found the general consensus from these key international law enforcement bodies is, due to a downturn in the economy, cases of online fraud and criminal activity are on the rise.”

The increase in illegal activity has come in the form of criminals reviving the practice of leveraging corporate email infrastructures to send mail through open relays and even some secured relays. As the economy tightens up, responsible email marketers must be ever vigilant when it comes to the overall compliance of their mailing program- this means keeping a close eye on sending reputation and protecting the integrity of your brand. But more on that next time…

The growth of social networks has not been limited to the adult world of MySpace and Facebook; it has also been widely reported that the number of children visiting virtual world sites will double nearly in the next few years. More than 100 sites for children have been launched since 2005 and range from sites where children adopt and care for virtual pets to interactive social sites which allow communication via chat or blog. ENISA, the European Network and Information Security Agency has recently published a whitepaper entitled: Children on virtual worlds; what parents should know. The report outlines what caregivers should expect from the different types of browser based gaming sites available to children 7 years old and younger as well as tweens, or children between the ages of 8 and 12.

In addition to providing general classifications of the behavior that children exhibit in virtual worlds, ENISA maps out how to control and monitor a child’s online presence in order to protect them from unwanted targeted advertising, access to adult sites, identity theft and other potential abuse. The whitepaper lists 25 tips for parents on how to best ensure a positive, enriching online gaming experience while maintaining the utmost concern for safety and privacy.

Beginning October 1, 2008, the state of Nevada will begin enforcing legislation which requires all businesses that send cosumer identification data over the web to use encryption. Requiring all businesses to use encryption is aimed at securing electronic transmissions and ultimately aiding in the protection of consumer privacy.

However, the legislation, passed in 2005, provides a vague definition of ‘encryption’ and does not specify the penalties for violating the law. Some concern exists that the law leaves wiggle room to consider a password protected email to be ‘encrypted’, which may not accomplish the level of privacy for consumers that the law was intended to accomplish. Nevada legislators may have to better clarify the law, or wait for a possible lawsuit filing to establish new precendence surrounding the statute.

With cases of online fraud on the rise in the form of dictionary attacks, phishing, and suppression file theft, encryption to further protect consumer data is a step in the right direction. Hopefully, Nevada legislators will be able to hammer out the details of the law and enforce encryption in a cost-effective way that both protects consumers and limits liability for marketers.

For more on Nevada’s email encryption law, read the article by Susan J. Campbell.

In a similar case of opt-in fraud, a website called Spamza.com has recently been shut down by its host GoDaddy for allowing visitors to sign up virtually any email address to what the site claimed was “hundreds of newsletters”. The site allowed individuals to anonymously subject their enemies’ email addresses to heinous amounts of fraudulently opted-in mail.

Signing up an email address at Spamza caused it to be resold from one illegal operation to another, posing a potential nightmare for single opt-in email marketing campaigns and compliant marketers unknowingly obtaining data containing opt-in fraud. This is why LashBack encourages not only compliance with CAN-SPAM laws but also best practices such as confirmed opt-in.

Anyone in the business of purchasing leads is well aware why opt-in fraud creates such a big problem. The leads gathered from fraudulent sign-ups are not legitimate single opt-in or confirmed opt-in email addresses. When false sign-ups occur, however, they pose a much greater threat in a single opt-in scenario than in a confirmed opt-in one. Due to the nature of the single opt-in, addresses could easily be signed up without proper confirmation from the address owner.

To be continued…

This is Part Two of a three part post on opt-in fraud and bad data. Click here to read Part One.

To read more about Spamza, check out blogs by Justin Premick, Word to the Wise, and Dancho Danchev.

The Internet Corporation for Assigned Names and Numbers has approved a plan to allow for an unlimited number of top-level domains. The plan will allow any established business or entitiy to self-select and apply for its own top level domain. For example, instead of the typical .com, .org, or .net, we could see new, more brand specific, or industry specific domains such as .dell or .computer. Also, city-based domains will be considered. For example, San Francisco based sites may use .sf, or London related sites may be available at .london.

The stakeholder-recommended new domains represent limitless opportunities for online business and an exponential expansion of the Internet. However, the domains will not be sold, and ICANN will have a controlled, limited application process. The plan is to have objection-based mechanisms to prevent trademark stealing and offensive domain names.

A final version of the implementation plan must be approved before the application process for new domains can begin. ICANN is working to publish the final plan by early 2009 and hopes to begin registering new domains by next year’s second quarter. Click here to view the press release.

Thursday, Yahoo began offering free email accounts under two new domain names. The new domains, @ymail and @rocketmail, were made available to users because most of the desired handles at the Yahoo domain, which has been around since 1997, are already taken. Yahoo is currently the email market leader, with 266 million users in April, followed by Microsoft at 264 million, according to research firm, comScore Inc.

Yahoo is likely adding the new domains to compete with Google’s fast-growing Gmail, which has added 30 million users in the past year. Because of the popularity of Yahoo email, new users were forced to pick long or complicated handles that were difficult to remember. Yahoo hopes to expand its email universe by offering more options to new users and users unhappy with their current addresses. The new accounts will have the same features as current Yahoo accounts, including unlimited free storage. Yahoo expanded their storage limits from 3 megabytes to unlimited in response to Gmail, which upped the ante by offering 1 gigabyte of storage. Although email service is free, it is obviously important in fostering user loyalty and creating lucrative advertising opportunities.

For more info Read the AP article by Michael Liedtke here.

It’s been several years now since the finalization of the SenderID/SPF and DKIM specifications.  And for these several years, we in the reputation space have been hanging our hats on the importance for authentication as a required component to solving the problem of spam.  I still believe authentication is critical.  But, unfortunately politics has gotten in the way of progress. 

In order for authentication to work, everyone needs to agree on a standard and implement it.  Yet, a certain major player in the space who shall remain unnamed has continued to push their standard and decided not to adopt the standard the rest of the industry is following.  As a result, authentication has stalled. 

Don’t get me wrong, I am pleased about the adoption of SenderID/SPF.  Just looking at the stats from our corporate mail server, 40% of the email we receive is authenticated using SenderID/SPF.  That’s pretty impressive. 

But, until this entity either does the right thing and starts adopting SenderID/SPF or gets bought (looking less likely now), I believe authentication will continue to fail to be the necessary component we had all hoped it would be in the war against spam.

The fact that the politics of authentication has gotten in the way of progress is very discouraging.  Personally, I have a lot of ideas on how to leverage authentication for new solutions to make email more reliable for both the sender and the receiver.  But, looking at the difficulty in just getting the major players to agree in this case makes me feel that change is a very difficult fight, even for the most powerful players.  If the big dogs can’t make change, how can I?

LashBack is a devoted Dell shop.  All our servers and most of our desktops proudly display the Dell logo.  Like most businesses who buy Dell, I often receive email marketing from Dell.  Historically, the email offers I receive from Dell are fully CAN SPAM compliant.  Their opt out process is kind of cumbersome, but generally the mail is best of breed. 

Yet, much to my surprise, I have been receiving a lot of non-compliant messages lately.  These are not corporate-sponsored mailings, but instead mailings from their sales staff touting the latest deal.

Today I received an email from a salesperson at Dell telling me about "Great Deals on Laser Printers".  Never mind that I didn’t even know the salesperson or have a prior relationship with them.  The message appeared so spammy I am surprised it made it through my spam filter.  I have included a copy of this message, because it really is shocking to me.  This is definitely a commercial message and subject to CAN SPAM requirements, yet there is no unsubscribe option and not even a physical address.  If the FTC were to see this mail, I am not sure they would be too happy.

I am not trying to alienate Dell here.  Instead, this example brings up a critical thing about email -organizations and big brands often have salespeople mailing out special deals.  These emails are occurring outside of the standard marketing email stream and are flying below the radar of compliance control. This demonstrates the clear need for organizations to monitor all mail streams referencing their brand or sent from their organization or else face potential legal consequences.

The rule is that an email is either transactional or commercial, but never both. Because of the subject line and above the fold sales offer- with no account or transactional information even present- a reasonable consumer would think it was a commercial offer. These are the three tests. Dell fails all three for this message as well as failing on two major points of CAN-SPAM Compliance: no physical address, no unsubscribe mechanism.                  

I just wanted to rant a bit about the state of affiliate email marketing.  Today I had a discussion with an email advertiser whose offers were being spammed to several other companies’ suppression lists.  His response was: "It’s not my problem.  I use third party affiliates and affiliate networks.  The affiliate networks I contract with are responsible for the senders they use."  I then proceeded to tell him about the issues he was having with his own unsubscribe links, and I again received the same response.  It wasn’t his problem.  His unsubscribe practices are ’solid’.  It is the responsibility of the networks to police this.  And so on.

Affiliate marketing has its place in email.  Done properly, it works for consumers, senders and advertisers.  But I am appalled by the lack of accountability I see with some organizations - especially organizations who I would expect to care.  I see two options for affiliate email marketing - self regulate or be regulated.  I fear that as affiliate marketing continues to take an "it’s not my fault, it’s their fault" attitude, that government regulation will kick in.  Affiliate marketers need to start thinking a bit differently.  Perhaps instead of shifting blame to others, affiliate marketers - especially the advertisers — will start to realize that they are responsible too.